Field
Embodiments of the present invention generally relate to the field of network security techniques. In particular, various embodiments relate to configuration of security rules of a rule-based security device using interface groups.
Description of the Related Art
Firewalls are an integrated collection of security measures designed to prevent unauthorized access to a networked computer system. It may also assume the form of a flow control device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria. Organizations that use Internet Protocol (IP) based communication networks have firewalls or access control devices/mechanisms to control the traffic that crosses into and out of their networks, or between different network segments. Each firewall is basically a special-purpose computer that is enforcing the organization's traffic filtering policy.
Typically, the filtering policy is implemented in a rule-base, wherein each rule consists of a set of fields that collectively define a traffic flow to which the rule pertains, and an associated action that is used to control the defined traffic flow. In a security rule, a traffic flow may be identified by address, user-identity or device identity. The traffic flow may further be identified by its source interface, i.e., the interface by which the traffic flow arrives at the firewall, and its destination interface, i.e., the interface by which the traffic flow is routed out of the firewall.
In defining a traffic flow, the source or destination interface may be any one of the network interfaces of the firewall. The firewall may also designate “any interface” as the source and/or destination interface in a rule. That means the traffic flow that the rule is controlling can be from/to any interface of the firewall. However, accepting the traffic from/to any interface may expose the network to potential leaks and the network administrator may prefer to allow the traffic between some but not all of the interfaces of the firewall in one rule. In order to accept a traffic flow between only a proper subset of all the interfaces of a firewall in one rule, some of the firewall's interfaces may be defined as a zone and then, the zone may be designated as a source and/or destination of the rule so that a traffic flow between multiple interfaces may be controlled by one rule. Another option is to configure multiple rules in full mesh to control the traffic between the multiple interfaces. However, configuring rules in full mesh is not convenient for the network administrator and makes the rule set complicated for maintenance.
There is therefore a need for systems and methods that allow more efficient and flexible configuration of rules for a network security appliance.